NAT Pools – When you are overloading a single IP, the truth is that you are using the ports available on that IP to send and recieve traffic and that’s translating to IP’s on the inside.

Once you have even a few pc’s you can see from the translation table that many many ports are used, and while these connections tend to get torn down quickly, it’s still quite possible to run out. It really just depends on how many active clients you have to nat.

To overcome this, you can create a pool of external IP’s to overload. The router will simply move to the next IP when the first has too many ports full.

Lets use the same lab as our last NAT example.

Router0 is using 128.128.129.2 as it’s interface. It’s gateway is 128.128.129.1, which is on Router1.

If we are using that same lab.. we need to remove the nat command we issued earlier.

I can’t really create the traffic in my lab to make this jump to the next IP however 😀

Static Nat

This is also really useful to you, if you have an IP that it’s internal and you want to map that IP completley 1 to 1 to another ip on the other side of the router (publicly, for example) you may follow the next example to accomplish this.

In our diagram you see on the Inside a Server which is IP 10.0.0.254 and we want to make this server publicly available as 128.128.129.254. On our router we as seen before specify on the interface which is inside and which is outside. And then we pass the following command:

Hey howdy. Yeah another one of these.. This is sort of a quick Natting guide for Cisco Routers.

In the Cisco world you have 3 basic types of NAT, Static, Dynamic and Overload. Obviously these are more for me than you 😀 and you should look to cisco for documentation.

Nat Overload – this you are familiar with, and the concept is easy, if you are given a small or a single public IP and you want to use NAT to allow access to the public internet from your local IPs that are not public addresses, you can generally accomplish this with NAT Overload.

To accomplish this we start with identifying which interface is “inside” and which is “outside” on our router.

Here is my diagram I made:

The blue on the left is the “inside” (int gi0/0) and the right is considered “outside” (int gi0/1) and our router0 is considered your gateway to the internet. The other Router in play here is merely to simulate the internet. I’ve placed a webserver behind it, and that server is also running DNS.

I’ve made some vlans on the switch and have applied static IPs to the various workstations and a single server.

The goal is to not allow traffic from any vlan to any other vlan, except for a single server.

ACL’s are processed from the top down, and once packets meet any criteria as they are processed thru the list they are sent along according to the rule they matched. So as an example. If sequence 5 tells the router to allow packets from 192.168.1.20 to reach network 192.168.20.0/24 then those are allowed if the next sequence tells it to deny 192.168.1.0/24 from 192.168.20.0/24 which would match up with the rest of the source IPs on that subnet. Also.. if you had those sequences switched this rule would be ignored.

To create an access list first you configure and then you apply.

Lets start with VLAN 87.

We simply want to block any IP from 192.168.87.0/24 from reaching any 192.168.86.0 address or 192.168.89.0 address.

on our cli we need to start with giving the acl a name, and specifying that it’s an extended list.

Note, if you start putting in rules with no sequence number, you will simply start at 10 and then increment to the next 10, so 10, 20, so on.

However, if you specify the sequence number first, you can choose where your entry lands on your list. I personally like separating them to give me room for later changes.

The command is simple, it’s
Sequence# – the numbers are always observed as 10, 20, 30 and so one in increments of 10, but if you put one in as 31 then it will become 40 and 40 will move down.
deny or allow
protocol, ip means everything.. otherwise port number or name if it’s recognized.
Source IP network or host or any
Destination network or host or any

It’s also work noting that the item that looks like a subnet there is actually wildcard bits, which.. is a curve, but you will learn fast, essentially if it changes how many bits can change.

Note that I’ve placed an “any any” at the end. If your access list is only made of denials, it will simply deny everything because of the explicit and hidden “deny deny” that is at the end. If you only need to allow certain address then please of course do that.

Now we need to apply the ACL’s to our interfaces. You have to specify whether or not this filter should be applied on an interface on traffic that the router is sending to (out) or receiving from (in) other devices.